Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 04-28-2010, 10:44 AM
johninar johninar is offline
Registered User
 
Join Date: Jan 2008
Posts: 3
Secure CRT fails to connect to cisco router

I have a router that I can't connect to. I have to use Putty or another client.
This router is setup for SSH V2. I deleted all the host keys in hopes this would fix the issue. I'm running Version 6.0.3 (build 311) secure crt.
Suggestions anyone?

TIA,

John
Reply With Quote
  #2  
Old 04-28-2010, 11:00 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,997
Hello John,

This is likely a known issue of incompatibility with Cisco IOS 12.4 or newer.

To verify this, would you send 'Trace Options' of your attempted connection using the instructions below?

Also, when you contact us via e-mail, please provide your serial number so I can check your upgrade eligibility.

To enable trace options output:
  • First, open SecureCRT's main "File" pull-down menu and select "Trace Options". If you open the "File" pull down menu again you should see a checkmark next to "Trace Options", indicating that troubleshooting output is now enabled.
  • Next, connect to the remote machine. With trace options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.
  • Once the problem occurs, please right-click inside the terminal window and choose "Select All", then right-click again and choose "Copy" to transfer the information to the Windows clipboard.
  • Finally, open a text editor like 'Notepad', paste the information from the Windows clipboard into the editor program, and save it as a text file.
Since trace options can contain sensitive information, feel free to send it as an attachment via e-mail to support@vandyke.com. Please reference "Attn Brenda - Forum Thread #5508" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 04-28-2010, 03:36 PM
zeromiler zeromiler is offline
Registered User
 
Join Date: Apr 2010
Posts: 4
Secure CRT fails to connect to cisco router when using SSH

I'm having the same problem when I try to connect to a Cisco Router using SSH. Below is the trace output.

SecureCRT - Version 4.1.11 (build 297)
[LOCAL] : RECV : Remote Identifier = "SSH-1.99-Cisco-1.25"
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Send Cipher = aes128-cbc
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Recv Cipher = aes128-cbc
[LOCAL] : Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-md5
[LOCAL] : Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-md5
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Connected for 0 seconds, 464 bytes sent, 728 bytes received

SecureCRT - Version 4.1.11 (build 297)
[LOCAL] : RECV : Remote Identifier = "SSH-1.99-Cisco-1.25"
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Send Cipher = aes128-cbc
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Recv Cipher = aes128-cbc
[LOCAL] : Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-md5
[LOCAL] : Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-md5
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Connected for 0 seconds, 464 bytes sent, 728 bytes received
Reply With Quote
  #4  
Old 04-28-2010, 05:46 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 926
Overcoming the Cisco "Invalid modulus length" error when connecting with SecureCRT

SecureCRT's "Trace options" (enable it in SecureCRT's main "File" menu prior to attempting a connection) output often shows a common pattern representing a problem when connecting to some Cisco devices using the SSH2 protocol:

[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
...
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : RECV: TCP/IP close

In other words, the "group-exchange" kex algorithm was chosen, but when SecureCRT provided the Cisco device with its initial key exchange information, the Cisco device responds by closing the connection.

If you were to look at the debug information on the Cisco device, you'd likely see something along the lines of an error indicating, "Invalid modulus length". For example:
Apr 29 12:48:26.274: SSH2 0: Invalid modulus length
The "Invalid modulus length" problem is caused by a flaw in the secure shell implementation in place on affected Cisco devices. SecureCRT sends 2046 as the preferred key size for the "Diffie-Hellman Group" key exchange method. Some broken Cisco IOS versions incorrectly require the modulus length be a power of two, although the applicable SSH2 protocol RFC does not mandate this same restriction.

Newer versions of SecureCRT (6.1.2 or later) automatically perform a configuration change that will allow for easy interoperability between SecureCRT and Cisco devices that have this broken secure shell server implementation.

In the event that you are not running SecureCRT 6.1.2 or newer, any one of the following solutions would likely allow you to successfully connect to a Cisco device that is exhibiting the "Invalid modulus length" problem:

Apply a Bug-Fix to the Cisco Device:
Contact Cisco to receive the fix for Bug ID# "CSCsq51052" (likely only available to individuals with a current Cisco service contract).
Or:
Change the key exchange algorithm:
Note: Those of you reading this post who are using SecureCRT 5.1.x or newer can make this change directly in the SecureCRT application by either disabling the "diffie-hellman-group" key exchange method, or moving it to the top of the "Key exchange" list in the SSH2 category of the Session Options dialog, rather than editing the session's .ini file.

If you're using a version of SecureCRT that is older than 5.1.x, you'll need to edit the corresponding session's .ini file.

First, close all instances of SecureCRT. Then open the .ini file associated with the session you are dealing with and manually change the following line from:
S:"Key Exchange Algorithms"=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

to:
S:"Key Exchange Algorithms"=diffie-hellman-group1-sha1
Save your changes to the .ini file, and then start SecureCRT.

Or:
Change the preferred "GEX Preferred Size":
Close all instances of SecureCRT. Then open the .ini file associated with the session you are dealing with and manually change the following line from:
D:"GEX Preferred Size"=000007fe

to:
D:"GEX Preferred Size"=00000800
Save your changes to the .ini file, and then start SecureCRT.
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support

Last edited by jdev; 05-26-2010 at 11:22 AM.
Reply With Quote
  #5  
Old 04-29-2010, 01:44 PM
zeromiler zeromiler is offline
Registered User
 
Join Date: Apr 2010
Posts: 4
That solution worked perfectly! Thanks.

Close all instances of SecureCRT. Then open the .ini file associated with the session you are dealing with and manually change the following line from:

S:"Key Exchange Algorithms"=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

to:

S:"Key Exchange Algorithms"=diffie-hellman-group1-sha1

Save your changes to the .ini file, and then start SecureCRT.

Last edited by zeromiler; 04-29-2010 at 01:50 PM.
Reply With Quote
  #6  
Old 04-29-2010, 04:03 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 926
Zeromiler,

Thanks for letting us know what worked for you.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:24 PM.